Module 4: Networking

 學習目標

  • Networking 基本概念
  • Public networking resources vs. Private networking resources
  • Virtual private gateway
  • Virtual private network (VPN)
  • AWS Direct Connect 優點
  • Hybrid deployments 優點
  • IT 策略中使用的 layers of security
  • 客戶用於與 AWS 全球網路互動的服務

Networking 基本概念

"Who should be allowed to communicate with each other?"


Amazon VPC (Amazon Virtual Private Cloud)

A networking service that you can use to establish boundaries around your AWS resources is Amazon Virtual Private Cloud (Amazon VPC).

Amazon VPC enables you to provision an isolated section (aka. organize your resources into subnets) of the AWS Cloud.


"One VPC might have multiple types of gateways attached for multiple types of resources all residing in the same VPC, just in different subnets."


Subnets

A subnet is a section of a VPC in which you can group resources (e.g. Amazon EC2 instances) based on security or operational needs.

In a VPC, subnets can communicate with each other. Subnets can be public or private. 

  • Public subnet
    • 功能:Contain resources that need to be accessible by the public.
    • e.g. cashier, online store’s website (Support the public-facing website.)
  • Private subnet
    • 功能:Contain resources that should be accessible only through your private network.
    • e.g. barista, internal services (Isolate databases containing customers' personal information.)

This is similar to how you can use AWS networking services to isolate resources and determine exactly how network traffic flows.


Subnets are chunks of IP addresses in your VPC that allow you to group resources together.


Gateways: IGW (Internet Gateway)

An internet gateway is like a doorway that is open to the public. (public traffic)

An internet gateway is a connection between a VPC and the internet. Without an internet gateway, no one can access the resources within your VPC.

Internet gateway is used to connect a VPC to the internet.


Gateways: Virtual Private Gateway ➕ VPN

A virtual private gateway enables you to establish a virtual private network (VPN) connection between your VPC and a private network, such as an on-premises data center or internal corporate network.

A virtual private gateway allows traffic into the VPC only if it is coming from an approved network. (protected internet traffic)

  • 使用目的
    • Access private resources in a VPC (Create a VPN connection between the VPC and the internal corporate network.)
  • 注意
    • 即使你的連線有額外的保護,仍可能出現交通堵塞,因為你與其他使用者共享一般的網路連線頻寬。
  • 補充
    • Virtual private network (VPN)
      • 就像保鑣,能加密(或保護)您的網路流量,使其不受周圍其他請求的影響。



AWS Direct Connect

AWS Direct Connect is a service that lets you to establish a dedicated private connection between your on-premises data center and the VPC.

AWS Direct Connect provides a physical line that connects your network to AWS VPC.

  • 優點
    • AWS Direct Connect 提供的專用連線(private connection),可協助您降低網路成本、增加可透過網路傳輸的頻寬量



Layers of Security

  • Network hardening 網路強化
  • Application security
  • User identity
  • Authentication and authorization
  • Distributed denial of service (DDoS) prevention
  • Data integrity
  • Encryption

Network hardening - Subnets and Network ACLs

Network traffic in a VPC

當客戶向 AWS 雲端託管的應用程式請求資料時,該請求以 packet 的形式發送。Packet 是透過網際網路或網絡傳送的資料單元。

Packet enters into a VPC through an internet gateway. Before a packet can enter into a subnet or exit from a subnet, it checks for permissions. These permissions indicate who sent the packet and how the packet is trying to communicate with the resources in a subnet.

The VPC component that checks packet permissions for subnets is a network access control list (ACL).


Packet ➡ Internet Gateway ➡ VPC 
➡ Network ACLs Subnet ➡ Security group EC2 instances


Network ACLs ➡ 護照通關查驗 【Stateless

A network ACL (Network Access Control Lists) is a virtual firewall that controls inbound and outbound traffic at the subnet level.
  • Network ACLs 預設情況,以「 機場出/入境 」比喻
    • 機場出/入境(inbound & outbound):無檢查名單
      • 【Default】Network ACLs allows all inbound and outbound traffic
  • Default Network ACL:無檢查名單
    • 每個 AWS account 都包含一個 Default Network ACL
  • Custom Network ACLs:有檢查名單
    • All inbound and outbound traffic is denied until you add rules to specify which traffic to allow
  • Stateless packet filtering
    • They remember nothing and check packets that cross the subnet border each way: inbound and outbound. 



After a packet has entered a subnet, it must have its permissions evaluated for resources within the subnet, such as Amazon EC2 instances


Security groups ➡ 大樓保全查驗 【Statefull

A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance.

The VPC component that checks packet permissions for an Amazon EC2 instance is a security group.
  • Security groups 預設情況,以「 進/出大樓 」比喻
    • 進入大樓(inbound):有檢查名單
      • a security group denies all inbound traffic
    • 走出大樓(outbound):無檢查名單
      • a security group allows all outbound traffic
  • If you have multiple Amazon EC2 instances within the same VPC, you can associate them with the same security group or use different security groups for each instance. 
  • Stateful packet filtering
    • They remember previous decisions made for incoming packets.


Global Networking

Amazon Route 53 = DNS (Domain Name System)

Amazon Route 53 is a DNS web service. It gives developers and businesses a reliable way to route end users to internet applications hosted in AWS. 

  • 功能
    • Amazon Route 53: Manage the DNS records for domain names
      • Register new domain names directly in Route 53
      • Transfer DNS records for existing domain names managed by other domain registrars
      • It can direct traffic to different endpoints using different routing policies
        • Amazon Route 53 routing policies
          • Latency-based routing
          • Geolocation DNS
          • Geoproximity routing
          • Weighted round robin
    • DNS: Translating a domain name to an IP address (DNS resolution)
    • 優點
      • Highly available & scalable


    Amazon CloudFront = CDN (Content Delivery Network)

    A network that delivers edge content to users based on their geographic location.



    留言

    張貼留言

    這個網誌中的熱門文章

    Module 2: Compute in the Cloud --- part 1

    圖片
    學習目標 Amazon EC2 簡介 & 優點 Amazon EC2 Instance Types Amazon EC2 Pricing(各種計費選項) Amazon EC2 Auto Scaling 優點 Elastic Load Balancing 優點 & 使用範例 Amazon Simple Notification Service (Amazon SNS) vs. Amazon Simple Queue Service (Amazon SQS) 其他 AWS compute options
    Read more »

    Module 2: Compute in the Cloud --- part 2

    圖片
    學習目標 Amazon EC2 簡介 & 優點 Amazon EC2 Instance Types Amazon EC2 Pricing(各種計費選項) Amazon EC2 Auto Scaling 優點 Elastic Load Balancing 優點 & 使用範例 Amazon Simple Notification Service (Amazon SNS) vs. Amazon Simple Queue Service (Amazon SQS) 其他 AWS compute options
    Read more »

    考前加強:雲端重要概念

    雲端架構重要概念 AWS Well-Architected Framework AWS global infrastructure Regions and Availability Zones 6 Strategies for Migrating Applications to the Cloud AWS shared responsibility model 術語 帳單 AWS Cost Explorer   Create custom reports to analyze their AWS cost and usage data AWS Budgets  Set custom alerts that will notify individuals when a service usage exceeds (or is forecasted to exceed) the amount that has been budgeted AWS Pricing Calculator 技術支援 Whitepaper: An Overview of the AWS Cloud Adoption Framework Operations  principles for operating in the cloud by using agile best practices recovering IT workloads to meet the requirements of business stakeholders Business helps moves a business from a model that separates business and IT strategies into a business model that integrates IT strategy. People helps Human Resources (HR) employees prepare their teams for cloud adoption by updating organizational processes and staff skills to include cloud-based competencies. Governanc...
    Read more »